Data loss prevention (or “DLP”) programs and tools can be useful for your organization to detect and prevent unauthorized disclosures of sensitive corporate data, including personal information. But to be effective, DLP tools must collect and use personal information. For example, these tools often collect IP addresses, device identifiers, and associated network and online activity, all of which may be personal information under privacy and data protection laws. Further, DLP programs and tools often review transmitted data (which may include other personal information types) to take an action (proactive or reactive) with an individual.
To help your organization meet its obligations under privacy and data protection laws, your organization should evaluate five key issues before implementing DLP programs and tools.
- Adequate Notice of Monitoring Practices
Several U.S. state laws, including Connecticut, Delaware, New York, and Virginia require notice to employees prior to conducting any electronic monitoring, which would include many DLP tool practices. As of January 1, 2023, the California Consumer Privacy Act (“CCPA”) also applies to collection, use, and disclosure of employee personal information, and has additional notice requirements that would apply to employee monitoring activities. In addition to U.S. state law requirements, if your organization has employees based outside of the U.S., you must comply with notice requirements under data protection laws such as the European Union’s General Data Protection Regulation (“GDPR”).
Prior to implementing a DLP program or tools, or changing how they work, reach out to your legal or privacy team to make sure the personal information collection, use, retention, and disclosure practices are adequately disclosed to employees and contractors.
- Proportionality and Lawfulness of Employee Monitoring
While employee monitoring is generally acceptable in the United States if disclosed and (where required) consented to, it is more complicated in other areas like the European Union and United Kingdom based on legal requirements under GDPR and local employment and telecommunications laws.
Regulators prefer DLP tools take a proactive approach and process less personal information to achieve the organization’s objectives. For example, enforcing document or communication labeling in accordance with data classification policies and preventing documents or information labeled as “sensitive” from leaving the organization rather than monitoring specific employee behavior may require less personal information. Some tools will alert an employee that they are about to send a document or communication that violates a policy rather than alerting their manager or the security team. This lets the employee correct their mistake without embarrassment or penalty, and with less of their personal information captured by the DLP program.
Using DLP tools to monitor remote employees using data collected from personal devices or equipment (such as routers) can also create data protection risk if it collects information about the household or employee’s private life. There is also risk of violating an employee’s privacy rights if their personal or private documents or communications are collected or analyzed.
Employee monitoring is typically a high-risk processing activity that requires a data protection impact assessment (“DPIA”) under GDPR, which should be done in collaboration with privacy team members, and with identified risks being appropriately mitigated. Employee monitoring may trigger additional requirements before utilizing such as works council and data protection officer review and approval, updating the organization’s record of processing activity and agreements with DLP tool providers.
- Automated decision-making
If the DLP tool will collect and use an employee’s personal information to make a decision without human review, and that decision could have a significant impact to an employee (such as a job loss, loss of promotion, raise, bonus, or other significant harm),additional privacy and data protection law requirements will apply. In California, automated decision-making activities will be subject to forthcoming regulations from the California Privacy Protection Agency and could require additional risk assessments. Outside of the U.S., data protection laws like GDPR prohibit decisions based solely automated decision-making when that decision has a legal effect, unless an exception applies.
Organizations should work closely with their privacy teams to understand whether the DLP tools and programs will make automated decisions regulated by these laws, and if so, to identify the steps needed to comply.
- Wiretap and anti-eavesdropping laws
When implementing DLP to review the content of incoming and outgoing communications, including email, text messages, and other electronic communications wiretap and anti-eavesdropping laws may be triggered. Thirteen states in the U.S. require “all party” consent – meaning everyone who is a party to the communication must consent to the monitoring of the content of their communication. Failure to provide adequate notice of the monitoring and obtain appropriate consent can lead to both civil and criminal penalties, potentially even when employer devices or resources are used.
When working with DLP tools, understand whether the tool reviews the content of communications and, if so, how it can be configured to meet notice and consent requirements. Your legal and privacy teams should be consulted too.
5.Data Minimization and Purpose Limitation
Most privacy and data protection laws require that the data collected is reasonably necessary to achieve the desired goal. When implementing a DLP program or tool, document the risks it is trying to mitigate. Once the risks are identified, limit data collection to only information that is necessary to achieve the desired result. For example, if the organization is concerned about proprietary customer lists being disclosed by an employee about to leave the company, limit DLP monitoring for this behavior to the particular risk group and systems processing customer lists.
When monitoring data is collected, it should only be used by authorized personnel to address the documented risks. Any further use of monitoring data should be reviewed with your privacy team to ensure it is compatible with the reason for collecting it. Quickly delete monitoring data that doesn’t flag policy violations to help reduce data breach and employee privacy risks.
By considering these key issues in when implementing DLP, your organization will be in a better position to balance privacy and data protection obligations and risks with you DLP programs goals.